Apache Struts 2 struts2-rest-showcase orders 'clientName' Parameter Persistent XSS

This script is Copyright (C) 2012-2015 Tenable Network Security, Inc.

Synopsis :

A remote web application is affected by a persistent cross-site
scripting vulnerability.

Description :

The remote web server hosts Struts2-rest-showcase, a demonstration
application for the Struts 2 framework. Input passed via the
'clientName' parameter to the orders page is not properly sanitized,
which can allow for arbitrary HTML and script code to be loaded onto
the system and executed when a user visits the orders page.

See also :


Solution :

Remove or restrict access to the Struts2-rest-showcase application.

Risk factor :

Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 4.1
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 60095 ()

Bugtraq ID: 51902

CVE ID: CVE-2012-1006